Post navigation

You can’t erase your Twitter footsteps, it turns out: what goes into Twitter stays lodged in its guts for years.

That’s because of a glitch that a bug hunter is calling a “functional bug.” The bug, discovered by security researcher Karan Saini, keeps direct messages (DMs) from being completely deleted, regardless of whether you or others have deleted the messages or even if the accounts that sent or received the DMs have been deactivated and suspended:

Folks are having some trouble understanding this, so here is a short summary:
DMs are never “deleted”—rather only w… twitter.com/i/web/status/1…

The researcher says that he reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve DMs even after a message was deleted from both the sender and the recipient. That earlier bug couldn’t get at DMs from suspended accounts, however.

According to Twitter’s privacy policy, when you delete your account, everything is supposed to go up in smoke after a grace period of 30 days:

When deactivated, your Twitter account, including your display name, username, and public profile, will no longer be viewable on Twitter.com, Twitter for iOS, and Twitter for Android. For up to 30 days after deactivation it is still possible to restore your Twitter account if it was accidentally or wrongfully deactivated.

Back in 2013, Twitter users could “unsend” DMs, meaning that they could rub them out of someone else’s inbox by simply deleting the messages from their own. Years ago, Twitter changed that: users can now only delete messages from their own accounts. From Twitter’s help page:

When you delete a Direct Message or conversation (sent or received), it is deleted from your account only. Others in the conversation will still be able to see Direct Messages or conversations that you have deleted.

According to Fortune, Saini reported the bug through HackerOne, a bug bounty platform that works with Twitter.

A Twitter spokesperson told TechCrunch that as of Friday, the company was looking into the matter “to ensure we have considered the entire scope of the issue.” Twitter also told Fortune that the issue is “still open,” so as of Saturday, they couldn’t publicly comment on specifics.

Like Saini, Twitter is also calling this a “functional bug,” as opposed to a “security bug.” Its spokespeople declined to comment when TechCrunch asked if Twitter considers account deletion to be akin to withdrawing consent to retain direct messages.

I asked Twitter for comment and will update this article if I hear back.